chinese_generic_botnet | 0da182d4a35ca4c180e55b48895b16abc1d94b1d464b726c5018d6ff847e3116

General

Target

0da182d4a35ca4c180e55b48895b16abc1d94b1d464b726c5018d6ff847e3116.exe
Size

432KB
MD5

9fbcc7ee6dd506ce3fbe3fdf60a1a98a
SHA1

073849e1716fb74022c2465f9aa06e064c4ea63e
SHA256

0da182d4a35ca4c180e55b48895b16abc1d94b1d464b726c5018d6ff847e3116
SHA512

bbfb70dd42ddd5201bd6fd4871b42f311d99fcb93cb9b576407073ec8b1b8a46374b3b8d7cd527dfa94f4bfe6c91d7419392236bf9a9f0fbce13170e444e89d1

Score

10^/10

chinese_generic_botnet botnet upx vmprotect

Malware Config

Signatures

Generic Chinese Botnet
A botnet originating from China which is currently unnamed publicly.
botnet chinese_generic_botnet

Chinese Botnet Payload 1 IoCs

botnet

resource	yara_rule
behavioral1/memory/1032-55-0x0000000010000000-0x0000000010017000-memory.dmp	unk_chinese_botnet

Executes dropped EXE 2 IoCs

pid	Process
1420	Fvsxjme.bat
1464	Fvsxjme.bat

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x000900000001273d-60.dat	upx
behavioral1/files/0x000900000001273d-61.dat	upx
behavioral1/files/0x000900000001273d-69.dat	upx

VMProtect packed file 1 IoCs

Detects executables packed with VMProtect commercial packer.

vmprotect

resource	yara_rule
behavioral1/memory/1032-55-0x0000000010000000-0x0000000010017000-memory.dmp	vmprotect

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Microsoft Fhdiwa\Fvsxjme.bat	0da182d4a35ca4c180e55b48895b16abc1d94b1d464b726c5018d6ff847e3116.exe
File opened for modification	C:\Program Files (x86)\Microsoft Fhdiwa\Fvsxjme.bat	0da182d4a35ca4c180e55b48895b16abc1d94b1d464b726c5018d6ff847e3116.exe

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
1032	0da182d4a35ca4c180e55b48895b16abc1d94b1d464b726c5018d6ff847e3116.exe
1420	Fvsxjme.bat
1464	Fvsxjme.bat

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
1032	0da182d4a35ca4c180e55b48895b16abc1d94b1d464b726c5018d6ff847e3116.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
1032	0da182d4a35ca4c180e55b48895b16abc1d94b1d464b726c5018d6ff847e3116.exe
1420	Fvsxjme.bat
1464	Fvsxjme.bat

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1420 wrote to memory of 1464	1420	Fvsxjme.bat	29
PID 1420 wrote to memory of 1464	1420	Fvsxjme.bat	29
PID 1420 wrote to memory of 1464	1420	Fvsxjme.bat	29
PID 1420 wrote to memory of 1464	1420	Fvsxjme.bat	29

C:\Users\Admin\AppData\Local\Temp\0da182d4a35ca4c180e55b48895b16abc1d94b1d464b726c5018d6ff847e3116.exe
"C:\Users\Admin\AppData\Local\Temp\0da182d4a35ca4c180e55b48895b16abc1d94b1d464b726c5018d6ff847e3116.exe"
1⤵
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of SetWindowsHookEx
PID:1032

C:\Program Files (x86)\Microsoft Fhdiwa\Fvsxjme.bat
"C:\Program Files (x86)\Microsoft Fhdiwa\Fvsxjme.bat"
1⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1420
- C:\Program Files (x86)\Microsoft Fhdiwa\Fvsxjme.bat
  "C:\Program Files (x86)\Microsoft Fhdiwa\Fvsxjme.bat" Win7
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  PID:1464

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft Fhdiwa\Fvsxjme.bat

Filesize
432KB

MD5
9fbcc7ee6dd506ce3fbe3fdf60a1a98a

SHA1
073849e1716fb74022c2465f9aa06e064c4ea63e

SHA256
0da182d4a35ca4c180e55b48895b16abc1d94b1d464b726c5018d6ff847e3116

SHA512
bbfb70dd42ddd5201bd6fd4871b42f311d99fcb93cb9b576407073ec8b1b8a46374b3b8d7cd527dfa94f4bfe6c91d7419392236bf9a9f0fbce13170e444e89d1

Download Submit
C:\Program Files (x86)\Microsoft Fhdiwa\Fvsxjme.bat

Filesize
432KB

MD5
9fbcc7ee6dd506ce3fbe3fdf60a1a98a

SHA1
073849e1716fb74022c2465f9aa06e064c4ea63e

SHA256
0da182d4a35ca4c180e55b48895b16abc1d94b1d464b726c5018d6ff847e3116

SHA512
bbfb70dd42ddd5201bd6fd4871b42f311d99fcb93cb9b576407073ec8b1b8a46374b3b8d7cd527dfa94f4bfe6c91d7419392236bf9a9f0fbce13170e444e89d1

Download Submit
C:\Program Files (x86)\Microsoft Fhdiwa\Fvsxjme.bat

Filesize
432KB

MD5
9fbcc7ee6dd506ce3fbe3fdf60a1a98a

SHA1
073849e1716fb74022c2465f9aa06e064c4ea63e

SHA256
0da182d4a35ca4c180e55b48895b16abc1d94b1d464b726c5018d6ff847e3116

SHA512
bbfb70dd42ddd5201bd6fd4871b42f311d99fcb93cb9b576407073ec8b1b8a46374b3b8d7cd527dfa94f4bfe6c91d7419392236bf9a9f0fbce13170e444e89d1

Download Submit
memory/1032-54-0x0000000075541000-0x0000000075543000-memory.dmp

Filesize
8KB

Download
memory/1032-55-0x0000000010000000-0x0000000010017000-memory.dmp

Filesize
92KB

Download

Analysis

Sharing